Edit tour
Windows
Analysis Report
1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe
Overview
General Information
| Sample name: | 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
| Analysis ID: | 1525554 |
| MD5: | af9d6cdc4ff098c170ad543c236e6e0a |
| SHA1: | eb3dd66a5e96512f94fd29b07d2ac277d66b30b6 |
| SHA256: | 372cbc51a06856ab5865659790ec01821c095afda53e177256eebe1ae4af5b6a |
| Tags: | base64-decodedexeuser-abuse_ch |
| Infos: |   |
 | |
Detection
Remcos
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for sample
Uses dynamic DNS services
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe (PID: 7824 cmdline: "C:\Users\ user\Deskt op\1728033 125dd387fe d0490e7ade 394383eca6 a3c5cb1fd0 e94f8067e0 3fabd8e0d7 41cea5c331 .dat-decod ed.exe" MD5: AF9D6CDC4FF098C170AD543C236E6E0A)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
{"Host:Port:Password": "ab9001.ddns.net:31944:1", "Assigned name": "OCTOBERs", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "VLC.exe", "Startup value": "Rmc", "Hide file": "Disable", "Mutex": "Chrorne-CKQJ2Y", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
| REMCOS_RAT_variants | unknown | unknown |
| |
| INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer | detects Windows exceutables potentially bypassing UAC using eventvwr.exe | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
| Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
| Click to see the 3 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
| Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
| Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
| REMCOS_RAT_variants | unknown | unknown |
| |
| Click to see the 3 entries | ||||
Stealing of Sensitive Information |   |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-04T11:34:34.955076+0200 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.9 | 49725 | 64.188.16.157 | 31944 | TCP |
| 2024-10-04T11:34:57.329750+0200 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.9 | 49850 | 64.188.16.157 | 31944 | TCP |
| 2024-10-04T11:35:19.752659+0200 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.9 | 49974 | 64.188.16.157 | 31944 | TCP |
| 2024-10-04T11:35:42.128299+0200 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.9 | 49976 | 64.188.16.157 | 31944 | TCP |
| 2024-10-04T11:36:04.519512+0200 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.9 | 49977 | 64.188.16.157 | 31944 | TCP |
| 2024-10-04T11:36:26.913999+0200 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.9 | 49978 | 64.188.16.157 | 31944 | TCP |
| 2024-10-04T11:36:49.334368+0200 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.9 | 49979 | 64.188.16.157 | 31944 | TCP |
| 2024-10-04T11:37:11.721647+0200 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.9 | 49980 | 64.188.16.157 | 31944 | TCP |
| 2024-10-04T11:37:34.116208+0200 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.9 | 49981 | 64.188.16.157 | 31944 | TCP |
| 2024-10-04T11:37:56.538639+0200 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.9 | 49982 | 64.188.16.157 | 31944 | TCP |
| 2024-10-04T11:38:18.925581+0200 | 2036594 | 1 | Malware Command and Control Activity Detected | 192.168.2.9 | 49983 | 64.188.16.157 | 31944 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 0_2_004315EC | |
| Source: | Binary or memory string: | memstr_dfbdb724-c | |
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0041A01B | |
| Source: | Code function: | 0_2_0040B28E | |
| Source: | Code function: | 0_2_0040838E | |
| Source: | Code function: | 0_2_004087A0 | |
| Source: | Code function: | 0_2_00407848 | |
| Source: | Code function: | 0_2_004068CD | |
| Source: | Code function: | 0_2_0044BA59 | |
| Source: | Code function: | 0_2_0040AA71 | |
| Source: | Code function: | 0_2_00417AAB | |
| Source: | Code function: | 0_2_0040AC78 | |
| Source: | Code function: | 0_2_00406D28 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | DNS query: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_00424A66 | |
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
Key, Mouse, Clipboard, Microphone and Screen Capturing | |
|---|
| Source: | Code function: | 0_2_00409340 | |
| Source: | Windows user hook set: | Jump to behavior | ||
| Source: | Code function: | 0_2_0040A65A | |
| Source: | Code function: | 0_2_00414EC1 | |
| Source: | Code function: | 0_2_0040A65A | |
| Source: | Code function: | 0_2_00409468 | |
E-Banking Fraud | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Spam, unwanted Advertisements and Ransom Demands | |
|---|
| Source: | Code function: | 0_2_0041A76C | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Process Stats: | ||
| Source: | Code function: | 0_2_00414DB4 | |
| Source: | Code function: | 0_2_00425152 | |
| Source: | Code function: | 0_2_00435286 | |
| Source: | Code function: | 0_2_004513D4 | |
| Source: | Code function: | 0_2_0045050B | |
| Source: | Code function: | 0_2_00436510 | |
| Source: | Code function: | 0_2_004316FB | |
| Source: | Code function: | 0_2_0043569E | |
| Source: | Code function: | 0_2_00443700 | |
| Source: | Code function: | 0_2_004257FB | |
| Source: | Code function: | 0_2_004128E3 | |
| Source: | Code function: | 0_2_00425964 | |
| Source: | Code function: | 0_2_0041B917 | |
| Source: | Code function: | 0_2_0043D9CC | |
| Source: | Code function: | 0_2_00435AD3 | |
| Source: | Code function: | 0_2_00424BC3 | |
| Source: | Code function: | 0_2_0043DBFB | |
| Source: | Code function: | 0_2_0044ABA9 | |
| Source: | Code function: | 0_2_00433C0B | |
| Source: | Code function: | 0_2_00434D8A | |
| Source: | Code function: | 0_2_0043DE2A | |
| Source: | Code function: | 0_2_0041CEAF | |
| Source: | Code function: | 0_2_00435F08 | |
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00415C90 | |
| Source: | Code function: | 0_2_0040E2E7 | |
| Source: | Code function: | 0_2_00419493 | |
| Source: | Code function: | 0_2_00418A00 | |
| Source: | Mutant created: | ||
| Source: | Command line argument: | 0_2_0040D3F0 | |
| Source: | Command line argument: | 0_2_0040D3F0 | |
| Source: | Command line argument: | 0_2_0040D3F0 | |
| Source: | Command line argument: | 0_2_0040D3F0 | |
| Source: | Command line argument: | 0_2_0040D3F0 | |
| Source: | Command line argument: | 0_2_0040D3F0 | |
| Source: | Command line argument: | 0_2_0040D3F0 | |
| Source: | Command line argument: | 0_2_0040D3F0 | |
| Source: | Command line argument: | 0_2_0040D3F0 | |
| Source: | Command line argument: | 0_2_0040D3F0 | |
| Source: | Command line argument: | 0_2_0040D3F0 | |
| Source: | Command line argument: | 0_2_0040D3F0 | |
| Source: | Command line argument: | 0_2_0040D3F0 | |
| Source: | Command line argument: | 0_2_0040D3F0 | |
| Source: | Command line argument: | 0_2_0040D3F0 | |
| Source: | Command line argument: | 0_2_0040D3F0 | |
| Source: | Command line argument: | 0_2_0040D3F0 | |
| Source: | Command line argument: | 0_2_0040D3F0 | |
| Source: | Command line argument: | 0_2_0040D3F0 | |
| Source: | Command line argument: | 0_2_0040D3F0 | |
| Source: | Command line argument: | 0_2_0040D3F0 | |
| Source: | Command line argument: | 0_2_0040D3F0 | |
| Source: | Command line argument: | 0_2_0040D3F0 | |
| Source: | Command line argument: | 0_2_0040D3F0 | |
| Source: | Command line argument: | 0_2_0040D3F0 | |
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0041A8DA | |
| Source: | Code function: | 0_2_004542F9 | |
| Source: | Code function: | 0_2_00432BE9 | |
| Source: | Code function: | 0_2_00454C26 | |
| Source: | Code function: | 0_2_004063C6 | |
| Source: | Code function: | 0_2_00418A00 | |
| Source: | Code function: | 0_2_0041A8DA | |
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Code function: | 0_2_0040E18D | |
| Source: | Code function: | 0_2_004186FE | |
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | API coverage: | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Code function: | 0_2_0041A01B | |
| Source: | Code function: | 0_2_0040B28E | |
| Source: | Code function: | 0_2_0040838E | |
| Source: | Code function: | 0_2_004087A0 | |
| Source: | Code function: | 0_2_00407848 | |
| Source: | Code function: | 0_2_004068CD | |
| Source: | Code function: | 0_2_0044BA59 | |
| Source: | Code function: | 0_2_0040AA71 | |
| Source: | Code function: | 0_2_00417AAB | |
| Source: | Code function: | 0_2_0040AC78 | |
| Source: | Code function: | 0_2_00406D28 | |
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-46845 | ||
| Source: | Code function: | 0_2_004327AE | |
| Source: | Code function: | 0_2_0041A8DA | |
| Source: | Code function: | 0_2_004407B5 | |
| Source: | Code function: | 0_2_00410763 | |
| Source: | Code function: | 0_2_004327AE | |
| Source: | Code function: | 0_2_004328FC | |
| Source: | Code function: | 0_2_004398AC | |
| Source: | Code function: | 0_2_00432D5C | |
| Source: | Code function: | 0_2_00410B5C | |
| Source: | Code function: | 0_2_004175E1 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_004329DA | |
| Source: | Code function: | 0_2_0044F17B | |
| Source: | Code function: | 0_2_0044F130 | |
| Source: | Code function: | 0_2_0044F216 | |
| Source: | Code function: | 0_2_0044F2A3 | |
| Source: | Code function: | 0_2_0040E2BB | |
| Source: | Code function: | 0_2_0044F4F3 | |
| Source: | Code function: | 0_2_0044F61C | |
| Source: | Code function: | 0_2_0044F723 | |
| Source: | Code function: | 0_2_0044F7F0 | |
| Source: | Code function: | 0_2_00445914 | |
| Source: | Code function: | 0_2_00445E1C | |
| Source: | Code function: | 0_2_0044EEB8 | |
| Source: | Code function: | 0_2_0040A0B0 | |
| Source: | Code function: | 0_2_004195F8 | |
| Source: | Code function: | 0_2_004466BF | |
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_0040A953 | |
| Source: | Code function: | 0_2_0040AA71 | |
| Source: | Code function: | 0_2_0040AA71 | |
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 0_2_0040567A | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | 1 OS Credential Dumping | 2 System Time Discovery | Remote Services | 11 Archive Collected Data | 11 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 12 Command and Scripting Interpreter | 1 Windows Service | 1 Access Token Manipulation | 2 Obfuscated Files or Information | 211 Input Capture | 1 Account Discovery | Remote Desktop Protocol | 211 Input Capture | 2 Encrypted Channel | Exfiltration Over Bluetooth | 1 Defacement |
| Email Addresses | DNS Server | Domain Accounts | 2 Service Execution | Logon Script (Windows) | 1 Windows Service | 1 DLL Side-Loading | 2 Credentials In Files | 1 System Service Discovery | SMB/Windows Admin Shares | 3 Clipboard Data | 1 Non-Standard Port | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 11 Process Injection | 1 Virtualization/Sandbox Evasion | NTDS | 2 File and Directory Discovery | Distributed Component Object Model | Input Capture | 1 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Access Token Manipulation | LSA Secrets | 23 System Information Discovery | SSH | Keylogging | 21 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 11 Process Injection | Cached Domain Credentials | 21 Security Software Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 1 Virtualization/Sandbox Evasion | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 2 Process Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
| Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | HTML Smuggling | /etc/passwd and /etc/shadow | 1 Application Window Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
| IP Addresses | Compromise Infrastructure | Supply Chain Compromise | PowerShell | Cron | Cron | Dynamic API Resolution | Network Sniffing | 1 System Owner/User Discovery | Shared Webroot | Local Data Staging | File Transfer Protocols | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | External Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 83% | Virustotal | Browse | ||
| 89% | ReversingLabs | Win32.Trojan.Remcos | ||
| 100% | Avira | BDS/Backdoor.Gen | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Virustotal | Browse | ||
| 16% | Virustotal | Browse |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 16% | Virustotal | Browse |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| s-part-0032.t-0009.t-msedge.net | 13.107.246.60 | true | false |
| unknown |
| ab9001.ddns.net | 64.188.16.157 | true | true |
| unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 64.188.16.157 | ab9001.ddns.net | United States | 8100 | ASN-QUADRANET-GLOBALUS | true |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1525554 |
| Start date and time: | 2024-10-04 11:33:21 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 18s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
| Detection: | MAL |
| Classification: | mal100.rans.troj.spyw.evad.winEXE@1/1@4/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
| Time | Type | Description |
|---|---|---|
| 05:34:44 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 64.188.16.157 | Get hash | malicious | Remcos | Browse | ||
| Get hash | malicious | Remcos | Browse | |||
| Get hash | malicious | Remcos | Browse | |||
| Get hash | malicious | Remcos | Browse | |||
| Get hash | malicious | GuLoader, Remcos | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| s-part-0032.t-0009.t-msedge.net | Get hash | malicious | LummaC, Vidar | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | RedLine | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Phisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HtmlDropper | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| ab9001.ddns.net | Get hash | malicious | Remcos | Browse |
| |
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | Remcos | Browse |
| ||
| Get hash | malicious | GuLoader, Remcos | Browse |
| ||
| Get hash | malicious | GuLoader, Remcos | Browse |
| ||
| Get hash | malicious | GuLoader, Remcos | Browse |
| ||
| Get hash | malicious | GuLoader, Remcos | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ASN-QUADRANET-GLOBALUS | Get hash | malicious | Remcos | Browse |
| |
| Get hash | malicious | FormBook, GuLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AgentTesla | Browse |
| ||
| Get hash | malicious | Mirai, Moobot | Browse |
| ||
| Get hash | malicious | XenoRAT | Browse |
| ||
| Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
| Get hash | malicious | Snake Keylogger | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No context
| Process: | C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 144 |
| Entropy (8bit): | 3.3603882199736725 |
| Encrypted: | false |
| SSDEEP: | 3:rhlKlM+VlZIWlDfMfWl5JWRal2Jl+7R0DAlBG45klovDl6v:6lJCWRf5YcIeeDAlOWAv |
| MD5: | 6ACE5876B0140A058CE242F5204A005A |
| SHA1: | AB082D8F974DE6E2E6148C3B1355F3BA47D80555 |
| SHA-256: | F72666B38E0E51401604EE43CE87FBB155C8C072BB10CF728058BCB4B61178F1 |
| SHA-512: | 8B6E932650E033DF83CB6C8B30299974839E9099B882417AA5DDABA8FD9EABA311FBF8015360BD5700ED1B23EFF9B7272BED1B55E703B1A461EE71CD6869BA5D |
| Malicious: | true |
| Yara Hits: |
|
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.592135693740761 |
| TrID: |
|
| File name: | 1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
| File size: | 480'768 bytes |
| MD5: | af9d6cdc4ff098c170ad543c236e6e0a |
| SHA1: | eb3dd66a5e96512f94fd29b07d2ac277d66b30b6 |
| SHA256: | 372cbc51a06856ab5865659790ec01821c095afda53e177256eebe1ae4af5b6a |
| SHA512: | 3e7eb91299ed161c395a750783e91237eaf53e070b224ecf9bab120720b1a093c38faf3507cfd908c0e88ab59c5af03b248bfc8856de8a68f290ded5880eb4c8 |
| SSDEEP: | 12288:umnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSAn9:WiLJbpI7I2WhQqZ7A9 |
| TLSH: | 49A4AE02BAD2C072D57121344D2AE775DABDBC212835997BB3E61D5BFD30180A73A7B2 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..!...r...r...r.S r...r.S"r...r.S#r...r..Ur...r.o.r...r...s...r...s<..r...s$..r..Br...r...r*..r...sg..r...r...r...s...rRich... |
 | |
| Icon Hash: | 95694d05214c1b33 |
| Entrypoint: | 0x4327a4 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x63011007 [Sat Aug 20 16:47:03 2022 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 5d354883fe6f15fcf48045037a99fb7a |
| Instruction |
|---|
| call 00007FB179383957h |
| jmp 00007FB1793833A3h |
| push ebp |
| mov ebp, esp |
| sub esp, 00000324h |
| push ebx |
| push esi |
| push 00000017h |
| call 00007FB1793A502Fh |
| test eax, eax |
| je 00007FB179383517h |
| mov ecx, dword ptr [ebp+08h] |
| int 29h |
| xor esi, esi |
| lea eax, dword ptr [ebp-00000324h] |
| push 000002CCh |
| push esi |
| push eax |
| mov dword ptr [0046ED04h], esi |
| call 00007FB179385962h |
| add esp, 0Ch |
| mov dword ptr [ebp-00000274h], eax |
| mov dword ptr [ebp-00000278h], ecx |
| mov dword ptr [ebp-0000027Ch], edx |
| mov dword ptr [ebp-00000280h], ebx |
| mov dword ptr [ebp-00000284h], esi |
| mov dword ptr [ebp-00000288h], edi |
| mov word ptr [ebp-0000025Ch], ss |
| mov word ptr [ebp-00000268h], cs |
| mov word ptr [ebp-0000028Ch], ds |
| mov word ptr [ebp-00000290h], es |
| mov word ptr [ebp-00000294h], fs |
| mov word ptr [ebp-00000298h], gs |
| pushfd |
| pop dword ptr [ebp-00000264h] |
| mov eax, dword ptr [ebp+04h] |
| mov dword ptr [ebp-0000026Ch], eax |
| lea eax, dword ptr [ebp+04h] |
| mov dword ptr [ebp-00000260h], eax |
| mov dword ptr [ebp-00000324h], 00010001h |
| mov eax, dword ptr [eax-04h] |
| push 00000050h |
| mov dword ptr [ebp-00000270h], eax |
| lea eax, dword ptr [ebp-58h] |
| push esi |
| push eax |
| call 00007FB1793858D9h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x6ba58 | 0xf0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x76000 | 0x4aa0 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x7b000 | 0x39ac | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x69f10 | 0x38 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x69fa4 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x69f48 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x56000 | 0x4ac | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x5434b | 0x54400 | d720cbda6f644b704b35ac907cc56d49 | False | 0.574827290430267 | data | 6.624462527244835 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x56000 | 0x17392 | 0x17400 | 7f74ade58c43b15ee0754893e037c956 | False | 0.5001050067204301 | data | 5.8556949326481496 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x6e000 | 0x5c2c | 0xe00 | 121423e4a98fa367c6f6bf7e0478d052 | False | 0.21986607142857142 | data | 2.967957166860955 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .tls | 0x74000 | 0x9 | 0x200 | 1f354d76203061bfdd5a53dae48d5435 | False | 0.033203125 | data | 0.020393135236084953 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .gfids | 0x75000 | 0x230 | 0x400 | c42969612e5c912b6c5d217fb5c3eeb3 | False | 0.3203125 | data | 2.368295399421673 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x76000 | 0x4aa0 | 0x4c00 | f75f617499f887b3e7eb64e5a34ec910 | False | 0.27446546052631576 | data | 3.9789338540146306 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x7b000 | 0x39ac | 0x3a00 | fdc450eb9b0c8ffc8324fb61b541b328 | False | 0.7665005387931034 | data | 6.71659520483491 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x7618c | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.3421985815602837 |
| RT_ICON | 0x765f4 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.27704918032786885 |
| RT_ICON | 0x76f7c | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.23686679174484052 |
| RT_ICON | 0x78024 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.22977178423236513 |
| RT_RCDATA | 0x7a5cc | 0x493 | data | 1.0093936806148591 | ||
| RT_GROUP_ICON | 0x7aa60 | 0x3e | data | English | United States | 0.8064516129032258 |
| DLL | Import |
|---|---|
| KERNEL32.dll | CopyFileW, CreateMutexA, GetLocaleInfoA, CreateToolhelp32Snapshot, OpenMutexA, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, lstrcatW, GetCurrentProcessId, GetTempFileNameW, GetCurrentProcess, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FormatMessageA, AllocConsole, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, GetLongPathNameW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, HeapReAlloc, GetACP, GetStdHandle, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, LoadLibraryExW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, ExpandEnvironmentStringsA, FindNextFileA, FindFirstFileA, GetFileSize, TerminateThread, GetLastError, SetFileAttributesW, GetModuleHandleA, RemoveDirectoryW, MoveFileW, CreateDirectoryW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, ExitProcess, GetProcAddress, LoadLibraryA, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, QueryPerformanceCounter, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleW, WaitForSingleObjectEx, ResetEvent, SetEndOfFile |
| USER32.dll | CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, TranslateMessage, DispatchMessageA, GetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, DrawIcon, GetSystemMetrics, GetIconInfo, SystemParametersInfoW, GetCursorPos, RegisterClassExA, AppendMenuA, mouse_event, CreateWindowExA, DefWindowProcA, TrackPopupMenu, CreatePopupMenu, EnumDisplaySettingsW, SendInput, CloseWindow, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible |
| GDI32.dll | CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteDC, DeleteObject, CreateDCA, GetObjectA |
| ADVAPI32.dll | CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW, RegDeleteKeyA |
| SHELL32.dll | ShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW |
| SHLWAPI.dll | StrToIntA, PathFileExistsW, PathFileExistsA |
| WINMM.dll | waveInPrepareHeader, waveInStop, waveInUnprepareHeader, mciSendStringA, PlaySoundW, waveInOpen, waveInStart, waveInAddBuffer, waveInClose, mciSendStringW |
| WS2_32.dll | WSAGetLastError, recv, connect, socket, send, WSAStartup, closesocket, inet_ntoa, gethostbyname, WSASetLastError, inet_addr, gethostbyaddr, getservbyport, ntohs, getservbyname, htons, htonl |
| urlmon.dll | URLDownloadToFileW, URLOpenBlockingStreamW |
| gdiplus.dll | GdiplusStartup, GdipGetImageEncoders, GdipCloneImage, GdipAlloc, GdipDisposeImage, GdipFree, GdipGetImageEncodersSize, GdipSaveImageToStream, GdipLoadImageFromStream |
| WININET.dll | InternetOpenUrlW, InternetCloseHandle, InternetReadFile, InternetOpenW |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-04T11:34:34.955076+0200 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.9 | 49725 | 64.188.16.157 | 31944 | TCP |
| 2024-10-04T11:34:57.329750+0200 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.9 | 49850 | 64.188.16.157 | 31944 | TCP |
| 2024-10-04T11:35:19.752659+0200 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.9 | 49974 | 64.188.16.157 | 31944 | TCP |
| 2024-10-04T11:35:42.128299+0200 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.9 | 49976 | 64.188.16.157 | 31944 | TCP |
| 2024-10-04T11:36:04.519512+0200 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.9 | 49977 | 64.188.16.157 | 31944 | TCP |
| 2024-10-04T11:36:26.913999+0200 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.9 | 49978 | 64.188.16.157 | 31944 | TCP |
| 2024-10-04T11:36:49.334368+0200 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.9 | 49979 | 64.188.16.157 | 31944 | TCP |
| 2024-10-04T11:37:11.721647+0200 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.9 | 49980 | 64.188.16.157 | 31944 | TCP |
| 2024-10-04T11:37:34.116208+0200 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.9 | 49981 | 64.188.16.157 | 31944 | TCP |
| 2024-10-04T11:37:56.538639+0200 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.9 | 49982 | 64.188.16.157 | 31944 | TCP |
| 2024-10-04T11:38:18.925581+0200 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | 1 | 192.168.2.9 | 49983 | 64.188.16.157 | 31944 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 4, 2024 11:34:13.576520920 CEST | 49725 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:34:13.585402012 CEST | 31944 | 49725 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:34:13.585572004 CEST | 49725 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:34:13.591979027 CEST | 49725 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:34:13.597567081 CEST | 31944 | 49725 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:34:34.954803944 CEST | 31944 | 49725 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:34:34.955075979 CEST | 49725 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:34:34.955369949 CEST | 49725 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:34:34.960145950 CEST | 31944 | 49725 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:34:35.961461067 CEST | 49850 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:34:35.966356993 CEST | 31944 | 49850 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:34:35.966483116 CEST | 49850 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:34:35.970144987 CEST | 49850 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:34:35.974962950 CEST | 31944 | 49850 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:34:57.329591036 CEST | 31944 | 49850 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:34:57.329750061 CEST | 49850 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:34:57.329849005 CEST | 49850 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:34:57.338737011 CEST | 31944 | 49850 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:34:58.339873075 CEST | 49974 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:34:58.344854116 CEST | 31944 | 49974 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:34:58.345210075 CEST | 49974 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:34:58.349040985 CEST | 49974 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:34:58.353943110 CEST | 31944 | 49974 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:35:19.751476049 CEST | 31944 | 49974 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:35:19.752659082 CEST | 49974 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:35:19.752837896 CEST | 49974 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:35:19.757783890 CEST | 31944 | 49974 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:35:20.768142939 CEST | 49976 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:35:20.772991896 CEST | 31944 | 49976 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:35:20.773082018 CEST | 49976 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:35:20.776859999 CEST | 49976 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:35:20.781704903 CEST | 31944 | 49976 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:35:42.128218889 CEST | 31944 | 49976 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:35:42.128298998 CEST | 49976 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:35:42.128400087 CEST | 49976 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:35:42.133214951 CEST | 31944 | 49976 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:35:43.133106947 CEST | 49977 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:35:43.137944937 CEST | 31944 | 49977 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:35:43.138031006 CEST | 49977 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:35:43.141551971 CEST | 49977 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:35:43.146404028 CEST | 31944 | 49977 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:36:04.519359112 CEST | 31944 | 49977 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:36:04.519511938 CEST | 49977 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:36:04.519933939 CEST | 49977 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:36:04.524970055 CEST | 31944 | 49977 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:36:05.523427963 CEST | 49978 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:36:05.528301001 CEST | 31944 | 49978 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:36:05.528369904 CEST | 49978 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:36:05.531898975 CEST | 49978 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:36:05.536722898 CEST | 31944 | 49978 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:36:26.912174940 CEST | 31944 | 49978 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:36:26.913999081 CEST | 49978 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:36:26.914086103 CEST | 49978 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:36:26.918968916 CEST | 31944 | 49978 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:36:27.941159010 CEST | 49979 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:36:27.946242094 CEST | 31944 | 49979 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:36:27.948580980 CEST | 49979 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:36:27.952095032 CEST | 49979 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:36:27.960475922 CEST | 31944 | 49979 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:36:49.334278107 CEST | 31944 | 49979 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:36:49.334367990 CEST | 49979 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:36:49.334441900 CEST | 49979 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:36:49.339298964 CEST | 31944 | 49979 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:36:50.351418972 CEST | 49980 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:36:50.356565952 CEST | 31944 | 49980 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:36:50.356694937 CEST | 49980 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:36:50.361206055 CEST | 49980 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:36:50.366157055 CEST | 31944 | 49980 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:37:11.721450090 CEST | 31944 | 49980 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:37:11.721647024 CEST | 49980 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:37:11.721647024 CEST | 49980 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:37:11.726479053 CEST | 31944 | 49980 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:37:12.726380110 CEST | 49981 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:37:12.731331110 CEST | 31944 | 49981 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:37:12.731437922 CEST | 49981 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:37:12.735244989 CEST | 49981 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:37:12.740164995 CEST | 31944 | 49981 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:37:34.116086006 CEST | 31944 | 49981 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:37:34.116208076 CEST | 49981 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:37:34.116256952 CEST | 49981 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:37:34.121525049 CEST | 31944 | 49981 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:37:35.144320011 CEST | 49982 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:37:35.149554968 CEST | 31944 | 49982 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:37:35.149620056 CEST | 49982 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:37:35.153728008 CEST | 49982 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:37:35.158518076 CEST | 31944 | 49982 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:37:56.538530111 CEST | 31944 | 49982 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:37:56.538639069 CEST | 49982 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:37:56.538731098 CEST | 49982 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:37:56.545205116 CEST | 31944 | 49982 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:37:57.554956913 CEST | 49983 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:37:57.559789896 CEST | 31944 | 49983 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:37:57.561661959 CEST | 49983 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:37:57.565210104 CEST | 49983 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:37:57.569994926 CEST | 31944 | 49983 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:38:18.925193071 CEST | 31944 | 49983 | 64.188.16.157 | 192.168.2.9 |
| Oct 4, 2024 11:38:18.925580978 CEST | 49983 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:38:18.925580978 CEST | 49983 | 31944 | 192.168.2.9 | 64.188.16.157 |
| Oct 4, 2024 11:38:18.931179047 CEST | 31944 | 49983 | 64.188.16.157 | 192.168.2.9 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 4, 2024 11:34:13.547236919 CEST | 65304 | 53 | 192.168.2.9 | 1.1.1.1 |
| Oct 4, 2024 11:34:13.562170982 CEST | 53 | 65304 | 1.1.1.1 | 192.168.2.9 |
| Oct 4, 2024 11:35:20.757446051 CEST | 50921 | 53 | 192.168.2.9 | 1.1.1.1 |
| Oct 4, 2024 11:35:20.766815901 CEST | 53 | 50921 | 1.1.1.1 | 192.168.2.9 |
| Oct 4, 2024 11:36:27.928771973 CEST | 54911 | 53 | 192.168.2.9 | 1.1.1.1 |
| Oct 4, 2024 11:36:27.937359095 CEST | 53 | 54911 | 1.1.1.1 | 192.168.2.9 |
| Oct 4, 2024 11:37:35.131860018 CEST | 58675 | 53 | 192.168.2.9 | 1.1.1.1 |
| Oct 4, 2024 11:37:35.143044949 CEST | 53 | 58675 | 1.1.1.1 | 192.168.2.9 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Oct 4, 2024 11:34:13.547236919 CEST | 192.168.2.9 | 1.1.1.1 | 0xa965 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 4, 2024 11:35:20.757446051 CEST | 192.168.2.9 | 1.1.1.1 | 0x8c1b | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 4, 2024 11:36:27.928771973 CEST | 192.168.2.9 | 1.1.1.1 | 0xbff5 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Oct 4, 2024 11:37:35.131860018 CEST | 192.168.2.9 | 1.1.1.1 | 0xbdf0 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Oct 4, 2024 11:34:09.521409988 CEST | 1.1.1.1 | 192.168.2.9 | 0x692a | No error (0) | s-part-0032.t-0009.t-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
| Oct 4, 2024 11:34:09.521409988 CEST | 1.1.1.1 | 192.168.2.9 | 0x692a | No error (0) | 13.107.246.60 | A (IP address) | IN (0x0001) | false | ||
| Oct 4, 2024 11:34:13.562170982 CEST | 1.1.1.1 | 192.168.2.9 | 0xa965 | No error (0) | 64.188.16.157 | A (IP address) | IN (0x0001) | false | ||
| Oct 4, 2024 11:35:20.766815901 CEST | 1.1.1.1 | 192.168.2.9 | 0x8c1b | No error (0) | 64.188.16.157 | A (IP address) | IN (0x0001) | false | ||
| Oct 4, 2024 11:36:27.937359095 CEST | 1.1.1.1 | 192.168.2.9 | 0xbff5 | No error (0) | 64.188.16.157 | A (IP address) | IN (0x0001) | false | ||
| Oct 4, 2024 11:37:35.143044949 CEST | 1.1.1.1 | 192.168.2.9 | 0xbdf0 | No error (0) | 64.188.16.157 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 05:34:12 |
| Start date: | 04/10/2024 |
| Path: | C:\Users\user\Desktop\1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 480'768 bytes |
| MD5 hash: | AF9D6CDC4FF098C170AD543C236E6E0A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 3% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 23.7% |
| Total number of Nodes: | 1120 |
| Total number of Limit Nodes: | 43 |
Graph
Function 0041A8DA Relevance: 105.1, APIs: 36, Strings: 24, Instructions: 130libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00409340 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040E18D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 90sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004195F8 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00424A66 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00413980 Relevance: 42.8, APIs: 5, Strings: 19, Instructions: 785sleepnetworkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00409C1F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040971E Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 163sleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040966D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041215F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041A17B Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00409203 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00411F34 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00443649 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00443697 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040163E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041393F Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00404E06 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00424A7D Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00410B5C Relevance: 35.2, APIs: 7, Strings: 13, Instructions: 238threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00406D28 Relevance: 34.1, APIs: 9, Strings: 10, Instructions: 810fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040567A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040AA71 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040AC78 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00414EC1 Relevance: 18.1, APIs: 12, Instructions: 83clipboardmemoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041A01B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040B28E Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004128E3 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 485registrylibraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004466BF Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040E2E7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132processCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040A953 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004513D4 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040838E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00410763 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00418A00 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00417AAB Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00414DB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044F61C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004087A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00407848 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004063C6 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044F2A3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00445E1C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004068CD Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004316FB Relevance: 1.8, Strings: 1, Instructions: 501COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044F4F3 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044F723 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040E2BB Relevance: 1.5, APIs: 1, Instructions: 20COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004328FC Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004257FB Relevance: 1.4, Strings: 1, Instructions: 109COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044ABA9 Relevance: .6, Instructions: 637COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041CEAF Relevance: .6, Instructions: 598COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00425152 Relevance: .4, Instructions: 435COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00424BC3 Relevance: .4, Instructions: 383COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00435AD3 Relevance: .3, Instructions: 345COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00435F08 Relevance: .3, Instructions: 341COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043569E Relevance: .3, Instructions: 331COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00435286 Relevance: .3, Instructions: 323COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041B917 Relevance: .3, Instructions: 277COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043DE2A Relevance: .2, Instructions: 237COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043D9CC Relevance: .2, Instructions: 214COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043DBFB Relevance: .2, Instructions: 214COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00425964 Relevance: .2, Instructions: 187COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00436510 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00416E7E Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 307windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041642D Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040B871 Relevance: 44.0, APIs: 10, Strings: 15, Instructions: 296fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040BFDE Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 281registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040BC59 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 259registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00410EDA Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00418FFD Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401A4D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044C60D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044E4A6 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00411899 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417sleepfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040DE34 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 223processsynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041B344 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00443268 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004137DC Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00407BB6 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041601D Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 108filesynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00405480 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041AA4F Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 53memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00445631 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041A419 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00417F6A Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004159BA Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041B212 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00450F63 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044268B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004069F4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00447757 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041936B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040A9E2 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043887C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00444A81 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040F8B7 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00418C2E Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00418A5C Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00418B60 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00418BC7 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041B2C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00437603 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040E501 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00412204 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044083A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004050C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00418D76 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00411140 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 93sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401BC9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044C53A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040FBC8 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00412446 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040184A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142threadCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00409E37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00406071 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040513C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00412006 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00412268 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040A7F2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18threadCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0043FD01 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040AF4D Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004094FF Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81sleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00440F33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00440FB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00445A95 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0041A20F Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00419F87 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00436CD1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004126FE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044ED17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00415B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00432D4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00412077 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0044C257 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040A592 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040A5EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00412414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004112B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004105C4 Relevance: 5.1, APIs: 4, Instructions: 119COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|